Home > Articles

Planning an IT Audit for Sarbanes-Oxley Compliance

  • Print
  • + Share This
In part 1 of a two-part series on handling Sarbanes-Oxley compliance, Michelle Johnston explores how to prepare your organization for auditing.
Like this article? We recommend


Because the Enron and WorldCom scandals got so much attention, and because the Sarbanes-Oxley Act of 2002 affects every public company—and many small companies are voluntarily complying—a great deal of money is being spent on compliance. In fact, in excess of $2.5 billion is expected to be spent on Sarbanes-Oxley compliance-related work in 2004 alone (source: AMR Research).


For simplicity, we'll refer to the Sarbanes-Oxley Public Company Accounting Reform and Investor Protection Act of 2002 in this article as just Sarbanes-Oxley.

Approximately 20% of that cost is expected to relate directly to IT systems work—in fact, a survey of 60 Fortune 1,000 companies found 85% of companies predicting that Sarbanes-Oxley will require significant changes in IT and application infrastructure. Section 404 of Sarbanes, the section most likely to involve IT auditors, is extremely rigorous, mandating an annual management assessment of internal controls and procedures for financial reporting and requiring an independent auditor to attest to management's assessment.

Under section 404, it's IT management's responsibility to ensure that the documentation and processes are in place before the independent auditor has to come onsite to carry out the attestation review, in order to reduce the chances of signs of a "material weakness" in next year's management letter. Thus, it's inappropriate for IT management to wait until the independent auditor arrives onsite to find out what needs to be changed. IT management needs to have found all the issues and be working actively on remediation of those issues as early as possible in the process; when the independent auditor arrives, ideally most issues have either been resolved or are well on the way to being resolved.

It's important to remember that this whole process must be repeatable, as the Sarbanes-Oxley audit will occur annually—it's not a one-time process, but instead is a chance for IT management (who have had neither the budget nor the time to do so historically) to implement solid best-practice processes, procedures, and policies once and for all!

  • + Share This
  • 🔖 Save To Your Account